Breaking Through to Users for Better Security, Inside Out

In today’s world of big data, some of the most valuable information you can collect is simple insight into the people you’re trying to protect. Your users are all different, and to reach them you need to tailor your messages to address their individual interests, concerns, and needs.

That’s where “personas” come in—by developing profiles of various types of users you can learn how to communicate with them more effectively and address any resistance they may have.

Here are four sample personas, with ideas on how to best to reach them regarding security.

Meaghan, your CEO: Meaghan has been a CEO for a few years, coming from roles in both Sales and Finance. She has a good reputation for strategic thinking, but not much exposure to the nuts and bolts of her IT systems. She reads plenty of business and trade press, and knows she needs to do more about security. The board and auditors are asking questions, and she needs answers.

Meaghan’s priorities are profitability, growth, and stability for the company. Help her understand that good security is critical to all three. It keeps downtime and cleanup costs low. It protects the company’s customers and its reputation. To close her, show samples of data you expect to generate, like the increasing number of systems patched or the decreasing number of machines corrupted. Avoid trying to scare her with headlines or competitor breaches. That can ultimately lead to a thorny question: “So you will keep this from happening to us?”

Jay, an Engineer: Jay is an engineer on one of your customer-facing applications. Changing requirements regularly swamp him, and he relies on a variety of open-source software and tools. He is active in Meet-ups and Github, and he is pretty sure he knows more about security and IT than you or the IT department. He will resist security because he doesn’t think he needs it, and he is sure it will slow him down.

Temper your impatience with Jay. Remember he has hard deadlines and deliverables. When you talk with Jay, let him know you will be protecting his machine from attacks that could slow him down. Encourage him to suggest security testing for his application, take his input, and respect it. Once integrated into the program, he will support, not fight, your team.

Terry, the Office Administrator: Terry holds the office together. He orders systems, manages the employee database, and acts as the first-line support representative when a customer calls through on the wrong line. He may not have built your systems, but he feels confident in their ins and outs. Terry is frequently subjected to phishing and malware campaigns. He is the hub through which all business-related communications pass, and he is an ideal and catastrophic target for ransomware.

Terry probably doesn’t understand how his central role makes him a valuable target. Present real-world information about the ways attackers could exploit his systems or credentials. Help him to understand the risks of weak passwords on partner systems and of well-crafted phishing notes. Involve him in your group. He is a likely first target, and his attentiveness can be a valuable early-warning system. He will also be a compelling internal champion.

Rachel, a Salesperson: Rachel is not willing to let anything get in the way of her deals. She is always on the move, taking meetings, calls, and videoconferences wherever she finds herself. She connects to networks at airports, gas stations, and Starbucks. When she has no other options, she connects to any network she can get an IP address on. She is constantly reaching out to new prospects, building her network, and regularly sends and receives proposal documents.

Rachel is the least open to new controls or practices. You will need to help her understand the risks of her promiscuous internetworking and how to mitigate them. Give her an easy way to check her inbound attachments before she opens them. Show her stats on negative customer reaction to data breaches. She should know that her outbound messages to customers could be infected and embarrassing if her machine gets compromised.

Better Security, Inside Out

Take the time to learn as much as you can about your co-workers, at least as much as you spend at DefCon or RSA learning about attackers and attacks. Knowing all about the latest threats is only helpful if you can convey and leverage that knowledge effectively.